From 3779fca8c766b18b6d68feda9ed7958aa60bd4cf Mon Sep 17 00:00:00 2001 From: John Levon Date: Thu, 21 Apr 2022 13:43:44 +0100 Subject: support AFL++ fuzzing (#623) To support fuzzing with AFL++, add a "pipe" transport that reads from stdin and outputs to stdout: this is the most convenient way of doing fuzzing. Add some docs on how to run a fuzzing session. Signed-off-by: John Levon Reviewed-by: Swapnil Ingle Reviewed-by: Thanos Makatos --- docs/testing.md | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) (limited to 'docs') diff --git a/docs/testing.md b/docs/testing.md index 71a80b6..11b3301 100644 --- a/docs/testing.md +++ b/docs/testing.md @@ -22,3 +22,38 @@ Debugging Test Errors Sometimes debugging Valgrind errors on Python unit tests can be tricky. To run specific tests use the pytest `-k` option in `PYTESTCMD` in the Makefile. +AFL++ +----- + +You can run [American Fuzzy Lop](https://github.com/AFLplusplus/AFLplusplus) +against `libvfio-user`. It's easiest to use the Docker container: + +``` +cd /path/to/libvfio-user/src +docker pull aflplusplus/aflplusplus +docker run -ti -v $(pwd):/src aflplusplus/aflplusplus +``` + +Set up and build: + +``` +apt update +apt-get -y install libjson-c-dev libcmocka-dev clang valgrind python3-pytest debianutils flake8 libssl-dev cmake + +cd /src +export AFL_LLVM_LAF_ALL=1 +make CC=afl-clang-fast WITH_TRAN_PIPE=1 + +mkdir inputs +# don't yet have a better starting point +echo "1" >inputs/start +mkdir outputs +``` + +The `VFU_TRAN_PIPE` is a special `libvfio-user` transport that reads from +`stdin` instead of a socket, we'll use this with the sample server to do our +fuzzing: + +``` +afl-fuzz -i inputs/ -o outputs/ -- ./build/dbg/samples/server pipe +``` -- cgit v1.1